diff options
author | Alex Bennée <alex.bennee@linaro.org> | 2024-11-11 23:00:40 +0000 |
---|---|---|
committer | Philippe Mathieu-Daudé <philmd@linaro.org> | 2024-11-18 13:36:39 +0100 |
commit | 7b5574225429621e7122a83c06d1b23931f152df (patch) | |
tree | c5b515c14ae8f51257e4197287522c5797cd273f /hw | |
parent | c4e1c361b342ccff11df6748198b1e0bcad9b635 (diff) |
hw/display: check frame buffer can hold blob
Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix this by first using stride for all lines and casting input
to uint64_t to ensure a 64 bit multiply is used.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-ID: <20241111230040.68470-3-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/display/virtio-gpu.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index e7ca8fd1cf..7d22d03bbf 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -742,8 +742,7 @@ bool virtio_gpu_scanout_blob_to_fb(struct virtio_gpu_framebuffer *fb, fb->offset = ss->offsets[0] + ss->r.x * fb->bytes_pp + ss->r.y * fb->stride; fbend = fb->offset; - fbend += fb->stride * (ss->r.height - 1); - fbend += fb->bytes_pp * ss->r.width; + fbend += (uint64_t) fb->stride * ss->r.height; if (fbend > blob_size) { qemu_log_mask(LOG_GUEST_ERROR, |